Hi, Scott found that the fix for https://fedorahosted.org/freeipa/ticket/4028 is not complete. After some checks and comparisons with samba and AD behaviour I came to the conclusion that the two \\ at the beginning of the NetBIOS name of the IPA server is not needed in the response of NETLOGON_NT_VERSION_5EX requests which is the only type we handle so far.
In general AD seems to be smart enough the handle the \\ even in those responses but if the NetBIOS name has 15 characters the response is not accepted anymore. Please check if you can see any regressions with this change. During testing I came across two things related to samba. While looking at network trace Scott recorded it looked like Samba does not cut a long hostname for the NetBIOS name. This might be in agreement to what Metze recently posted in his master4-schannel-ok branch for netlogon_creds_cli_context_global(). As usual Metze is smarter than us and tried to minimize the chance for name collisions with the help of Jenkins hash. I just wonder why he treats the NetBIOS name only here this way and not generally? With respect to IPA we might want to consider to set 'netbios name' in the samba config explicitly to avoid disconnects? While testing against AD with other request types I've seen that in some cases the NetBIOS name was returned with the two additional \ in the beginning, even if the AD NetBIOS name already had 15 characters. Strange the name was even encoded in UCS-2 in this case. Unfortunately I was not able to find good documentation on the specifics of those packages. If you know some good docs please send me the link otherwise we might what to ask MSFT for clarification. bye, Sumit
From 0b782064945352ad488e92b457bbfda2270ddf66 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 13 Jan 2014 10:43:33 +0100 Subject: [PATCH] CLDAP: do not prepend \\ For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028 --- daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c index 9ba05829418a0d1de46f2c7776cc15c54a9eab1c..c03172d474589ddee84f1cfa5395c23fdba83bcb 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c @@ -163,7 +163,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, nlr->domain_name = name; /* copy the first 15 characters of the fully qualified hostname*/ - pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, fq_hostname); + pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname); for (p = pdc_name; *p; p++) { /* Create the NetBIOS name from the first segment of the hostname */ -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel